Re: [PATCH v2] ntfs: fix out-of-bounds write in ntfs_index_walk_down()

Next message: Lee Jones: "Re: [PATCH v2 05/10] mfd: rz-mtu3: make reset optional"
Previous message: Yi Lai: "[PATCH] selftests/rdma: explicitly skip tests when required modules are missing"
In reply to: DaeMyung Kang: "[PATCH v2] ntfs: fix out-of-bounds write in ntfs_index_walk_down()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Namjae Jeon

Date: Thu May 07 2026 - 08:55:35 EST

On Thu, May 7, 2026 at 11:18 AM DaeMyung Kang <charsyam@xxxxxxxxx> wrote:
>
> ntfs_index_walk_down() used to update the index traversal depth
> directly before writing parent_pos[] and parent_vcn[]. A malformed
> directory index with too many child-node levels can therefore advance
> pindex past MAX_PARENT_VCN and write past the fixed arrays in struct
> ntfs_index_context, corrupting context state used by later index
> traversal.
>
> Use ntfs_icx_parent_inc() for walk-down transitions so the existing
> depth limit is enforced before the arrays are updated. Make the helper
> check the limit before incrementing pindex so failed callers do not
> leave the context at an out-of-range depth.
>
> This is reachable by iterating a crafted NTFS directory after the volume
> has been mounted, including read-only mounts. The reproducer uses
> getdents64() on an index root that points to an excessively deep chain
> of child index blocks.
>
> A crafted directory index with a chain of child-node entries reproduced
> UBSAN array-index-out-of-bounds reports in ntfs_index_walk_down() and
> subsequent KASAN reports in ntfs_index_walk_up(). With this change, the
> same image is rejected with "Index is over 32 level deep" and no KASAN
> or UBSAN report is emitted.
>
> Fixes: 0a8ac0c1fa0b ("ntfs: update directory operations")
> Suggested-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
> Signed-off-by: DaeMyung Kang <charsyam@xxxxxxxxx>
Applied it to #ntfs-next.
Thanks!